Posted by: David Harley | January 5, 2014

Phurther Phish

Having spent quite a lot of time talking about phishing scams in recent weeks, I was intending to concentrate on other security issues for a while. There are, after all, quite enough alternative topics…

Still, I couldn’t resist this classic example of a phishing message in the threat category, where the intent is to persuade you to click on a questionable link because otherwise something horrible will happen. In this case, ‘something horrible’ means not having access to your account.

Valued Customer,

Recently, we noticed that someone has made suspicious attempts to log into your online account from this (IP) address “”

Therefore our security commitment forces us to block your account temporarily until you verify your identity on our systems.

Lloyds Online Log on

Best Wishes,

Lloyds Banking Group PLC

This sample arrived with the subject ‘Account Review Notification’ (which seems to be a favourite among banking phish messages at the moment), and the apparent sender was Lloyds Banking Group, at “e-secure(at)”: note the misspelling of the domain name, though at a glance you might read it as

The first major indicator here is that ‘your’ bank apparently doesn’t know your name, or your account number, or any other indication of personalization. That, of course, is because the scammer doesn’t know anything about you: he simply threw the same more-or-less untargeted message at a batch of email addresses. Bear in mind, though, that some phishing scams do include a meaningless transaction number or other attempt to give a spurious impression of personalization, and may even do so by including your email address. ‘Valued Customer’ just doesn’t cut it.

It’s not unusual for phishing emails to claim that your account is blocked because of unusual activity, but offers as supporting ‘evidence’ an IP address. In fact, the address cited belongs to a European provider of Internet and other services, so could be used as a springboard for an attack, but since the phisher clearly doesn’t expect the victim to be particularly tech-savvy, he probably only wanted it to look like a genuine class C address that wouldn’t be investigated. The addition of the “port information” is simply intended to make it look a little more technical and impressive. And, of course, to justify the alleged blocking of the victim’s account.

If you get a message along these lines and you think it might relate to a real account that you hold, I’d strongly suggest that before you give any credence to the message at all, you might try to log into your account in the normal way using an URL known to be genuine, rather than clicking on anything you see in the message. (In this case, the ‘login’ link given in the message goes to a phishing site, though I’ve substituted something a little less harmful in the message above, in case someone is tempted to click on it.)

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: